Onnowpurbo: New page: Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html ==File smb-enum-users== Script types: hostrule Categories: auth, intrusive Download: http://nmap.org/svn/scripts/smb-enum...

2016-02-14T13:44:25Z

New page: Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html ==File smb-enum-users== Script types: hostrule Categories: auth, intrusive Download: http://nmap.org/svn/scripts/smb-enum...

New page

Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html

==File smb-enum-users==

Script types: hostrule
Categories: auth, intrusive
Download: http://nmap.org/svn/scripts/smb-enum-users.nse

==User Summary==

Attempts to enumerate the users on a remote Windows system, with as much information as possible, through two different techniques (both over MSRPC, which uses port 445 or 139; see smb.lua). The goal of this script is to discover all user accounts that exist on a remote system. This can be helpful for administration, by seeing who has an account on a server, or for penetration testing or network footprinting, by determining which accounts exist on a system.

A penetration tester who is examining servers may wish to determine the purpose of a server. By getting a list of who has access to it, the tester might get a better idea (if financial people have accounts, it probably relates to financial information). Additionally, knowing which accounts exist on a system (or on multiple systems) allows the pen-tester to build a dictionary of possible usernames for bruteforces, such as a SMB bruteforce or a Telnet bruteforce. These accounts may be helpful for other purposes, such as using the accounts in Web applications on this or other servers.

From a pen-testers perspective, retrieving the list of users on any given server creates endless possibilities.

Users are enumerated in two different ways: using SAMR enumeration or LSA bruteforcing. By default, both are used, but they have specific advantages and disadvantages. Using both is a great default, but in certain circumstances it may be best to give preference to one.

Advantages of using SAMR enumeration:

Stealthier (requires one packet/user account, whereas LSA uses at least 10 packets while SAMR uses half that; additionally, LSA makes a lot of noise in the Windows event log (LSA enumeration is the only script I (Ron Bowes) have been called on by the administrator of a box I was testing against).
More information is returned (more than just the username).
Every account will be found, since they're being enumerated with a function that's designed to enumerate users.

Advantages of using LSA bruteforcing:

More accounts are returned (system accounts, groups, and aliases are returned, not just users).
Requires a lower-level account to run on Windows XP and higher (a 'guest' account can be used, whereas SAMR enumeration requires a 'user' account; especially useful when only guest access is allowed, or when an account has a blank password (which effectively gives it guest access)).

==Example Usage==

nmap --script smb-enum-users.nse -p445 <host>
sudo nmap -sU -sS --script smb-enum-users.nse -p U:137,T:139 <host>

==Script Output==

Host script results:
| smb-enum-users:
|_ |_ Domain: RON-WIN2K-TEST; Users: Administrator, Guest, IUSR_RON-WIN2K-TEST, IWAM_RON-WIN2K-TEST, test1234, TsInternetUser

Host script results:
| smb-enum-users:
| | RON-WIN2K-TEST\Administrator (RID: 500)
| | | Description: Built-in account for administering the computer/domain
| | |_ Flags: Password does not expire, Normal user account
| | RON-WIN2K-TEST\Guest (RID: 501)
| | | Description: Built-in account for guest access to the computer/domain
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\IUSR_RON-WIN2K-TEST (RID: 1001)
| | | Full name: Internet Guest Account
| | | Description: Built-in account for anonymous access to Internet Information Services
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\IWAM_RON-WIN2K-TEST (RID: 1002)
| | | Full name: Launch IIS Process Account
| | | Description: Built-in account for Internet Information Services to start out of process applications
| | |_ Flags: Password not required, Password does not expire, Normal user account
| | RON-WIN2K-TEST\test1234 (RID: 1005)
| | |_ Flags: Normal user account
| | RON-WIN2K-TEST\TsInternetUser (RID: 1000)
| | | Full name: TsInternetUser
| | | Description: This user account is used by Terminal Services.
|_ |_ |_ Flags: Password not required, Password does not expire, Normal user account

Contoh lain

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-14 20:40 WIB
Stats: 0:00:02 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.0.80
Host is up (0.0018s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 36:66:33:66:32:39 (Unknown)

Host script results:
| smb-enum-users:
| WIKI\onno (RID: 1000)
| Full name: onno
| Description:
| Flags: Normal user account
| WIKI\tamu (RID: 1001)
| Full name:
| Description:
| Flags: Normal user account
| WIKI\tamu1 (RID: 1002)
| Full name:
| Description:
| Flags: Normal user account
| WIKI\tamu2 (RID: 1003)
| Full name:
| Description:
|_ Flags: Normal user account

Nmap done: 1 IP address (1 host up) scanned in 14.61 seconds

==Referensi==

* https://nmap.org/nsedoc/scripts/smb-enum-users.html

Nmap: enumeration smb user - Revision history

Onnowpurbo: New page: Sumber: https://nmap.org/nsedoc/scripts/smb-enum-users.html ==File smb-enum-users== Script types: hostrule Categories: auth, intrusive Download: http://nmap.org/svn/scripts/smb-enum...